Good idea about index.html to avoid listing, that should be used as well.

Also, .htaccess does not work on windows servers. More I think about it, there is no concrete way of securing these files. The user could secure them quite well depending on their server, but they won’t bother, we need to do that for them – if possible. Last idea we thought about was php rename and doing some mumbo jumbo with file names, how about that?

freshface said
The user could secure them quite well depending on their server, but they won’t bother, we need to do that for them – if possible. Last idea we thought about was php rename and doing some mumbo jumbo with file names, how about that?

imho, there’s no real need for it. I mean, an evil user would have to know the exact zip name inside that folder to be able to download the plugin.

Now, could you explain me, how someone bad can know where you placed your bundled plugins? Is there a way to guess, that plugins are hidden in /coolauthornameframework/inc/bundledplugins/ ?

If someone has poorly configured robots.txt, google sniffs up the file, and warez people exploit that. Just one of the ways.

It’s not about “nobody is going to find it anyway”, it’s about that you shouldn’t wait for somebody to do so.

For example, if someone finds out you have a premium codecanyon plugin bundled in your theme, it’s not too hard to write a little crawler that uses google to find where your theme is used and then checks if that site has removed the .zip file. If not, it posts automatically the link to the zip file in some forums, and there you go. Your buyer/client has just become a piracy distributer, just by installing your theme.

Even further. If a plugin author decides to be an AH enough, he can do the same, and instead of distributing the file – sue everybody (not likely, but still…).

Now, could you explain me, how someone bad can know where you placed your bundled plugins? Is there a way to guess, that plugins are hidden in /coolauthornameframework/inc/bundledplugins/ ?

If someone has poorly configured robots.txt, google sniffs up the file, and warez people exploit that. Just one of the ways.

It’s not about “nobody is going to find it anyway”, it’s about that you shouldn’t wait for somebody to do so.

For example, if someone finds out you have a premium codecanyon plugin bundled in your theme, it’s not too hard to write a little crawler that uses google to find where your theme is used and then checks if that site has removed the .zip file. If not, it posts automatically the link to the zip file in some forums, and there you go. Your buyer/client has just become a piracy distributer, just by installing your theme.

Thanks, +1. In a wild case, my buyer’s hosting company could even receive a DMCA from the plugin author when he finds the hotlink on some warez site. I think security should be viewed more black and white. As it is now, the packages inside TGM folder are not secure. We are just trying to find a way to secure them.

Now, could you explain me, how someone bad can know where you placed your bundled plugins? Is there a way to guess, that plugins are hidden in /coolauthornameframework/inc/bundledplugins/ ?

If someone has poorly configured robots.txt, google sniffs up the file, and warez people exploit that. Just one of the ways.

It’s not about “nobody is going to find it anyway”, it’s about that you shouldn’t wait for somebody to do so.

For example, if someone finds out you have a premium codecanyon plugin bundled in your theme, it’s not too hard to write a little crawler that uses google to find where your theme is used and then checks if that site has removed the .zip file. If not, it posts automatically the link to the zip file in some forums, and there you go. Your buyer/client has just become a piracy distributer, just by installing your theme.

Even further. If a plugin author decides to be an AH enough, he can do the same, and instead of distributing the file – sue everybody (not likely, but still…).

As far as I know, Google crawls using links. Now its crawling / indexing directories?